{"viewCount": 3, "id": "MOZILLA-PATCHES-PWN2OWN-ZERO-DAYS-IN-FIREFOX-28/104889", "hash": "522d80e9763a8b088e820bc8cf0069295b18fabd2ee71ec64861c92310cb4c01", "description": "The Firefox web browser took a beating during last week\u2019s Pwn2Own contest with researchers bringing four zero-day vulnerabilities and exploits to the table, walking away with a collective $200,000 in prize money in the process.\n\nYesterday, Mozilla capped all four bugs among 18 security advisories addressed in Firefox 28.\n\n### Related Posts\n\n#### [Browser Address Bar Spoofing Vulnerability Disclosed](<https://threatpost.com/browser-address-bar-spoofing-vulnerability-disclosed/119951/> \"Permalink to Browser Address Bar Spoofing Vulnerability Disclosed\" )\n\nAugust 17, 2016 , 12:54 pm\n\n#### [vBulletin Patches Serious Flaw in Forum Software](<https://threatpost.com/vbulletin-patches-serious-flaw-in-forum-software/119817/> \"Permalink to vBulletin Patches Serious Flaw in Forum Software\" )\n\nAugust 10, 2016 , 3:25 pm\n\n#### [Windows PDF Library Flaw Puts Edge Users at Risk for RCE](<https://threatpost.com/windows-pdf-library-flaw-puts-edge-users-at-risk-for-rce/119773/> \"Permalink to Windows PDF Library Flaw Puts Edge Users at Risk for RCE\" )\n\nAugust 9, 2016 , 2:59 pm\n\nFirefox was by no means the only browser targeted during the annual contest; all four leading vendors failed to hold up against some of the best white hat hackers in the world. Two days ago, Google led the charge with the [first set of patches addressing vulnerabilities disclosed during Pwn2Own](<http://threatpost.com/google-patches-four-pwn2own-bugs-in-chrome-33/104828>). Google also paid out more than $150,000 to the winners of its Pwnium contest which went after bugs in Chromium and the Chrome OS.\n\nGeorge Hotz, known by his handle geohot and for his iPhone and PlayStation 3 jailbreaking, cashed in at both competitions. The 24-year-old claimed a $50,000 prize for a zero-day in Firefox that also affected Thunderbird and Seamonkey, Mozilla said.\n\nMozilla said in its advisory that Hotz discovered an issue where values are copied from an array into a second, neutered array. \u201cThis allows for an out-of-bounds write into memory, causing an exploitable crash leading to arbitrary code execution,\u201d Mozilla said in its [advisory](<https://www.mozilla.org/security/announce/2014/mfsa2014-32.html>).\n\nHotz\u2019s big prize, however, came during the Pwnium event when he scored a $150,000 prize for a persistent code execution bug discovered in the Chrome OS. Pwn2Own and Pwnium veteran hacker Pinkie Pie also found a sandbox code execution and kernel out of bounds vulnerabilities; Google has yet to announce his prize.\n\nThree other Pwn2Own bugs were patched by Mozilla in Firefox 28.\n\nResearcher Juri Aedla, a frequent Google bug-hunter, found a zero-day code execution bug in the browser. Mozilla said in its [advisory](<https://www.mozilla.org/security/announce/2014/mfsa2014-31.html>) that: \u201cTypedArrayObject does not handle the case where ArrayBuffer objects are neutered, setting their length to zero while still in use. This leads to out-of-bounds reads and writes into the JavaScript heap, allowing for arbitrary code execution.\u201d\n\nResearchers from French exploit vendor VUPEN were the big winners during Pwn2Own and Pwnium, cashing in six times, including a Firefox zero day. Team VUPEN found a memory corruption issue leading to an [exploitable use-after-free condition](<https://www.mozilla.org/security/announce/2014/mfsa2014-30.html>). Founder Chaouki Bekrar told Threatpost that the discovery of the zero-day required running more than 60 million test cases through a fuzzer.\n\nPolish researcher Mariusz Mlynski was the fourth Pwn2Own contestant to topple Firefox. He combined two vulnerabilities to gain privilege escalation.\n\n\u201cCombined these two bugs allow an attacker to load a JavaScript URL that is executed with the full privileges of the browser, which allows arbitrary code execution,\u201d Mozilla said in its [advisory](<https://www.mozilla.org/security/announce/2014/mfsa2014-29.html>).\n\nFirefox 28 addressed one more critical vulnerability, actually a set of memory safety hazards, Mozilla said.\n\n\u201cSome of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code,\u201d Mozilla said in its [advisory](<https://www.mozilla.org/security/announce/2014/mfsa2014-15.html>).", "href": "https://threatpost.com/mozilla-patches-pwn2own-zero-days-in-firefox-28/104889/", "history": [], "edition": 1, "threatPostCategory": "Web Security", "cvelist": [], "references": ["https://threatpost.com/browser-address-bar-spoofing-vulnerability-disclosed/119951/", "https://www.mozilla.org/security/announce/2014/mfsa2014-31.html", "https://threatpost.com/windows-pdf-library-flaw-puts-edge-users-at-risk-for-rce/119773/", "https://www.mozilla.org/security/announce/2014/mfsa2014-15.html", "https://threatpost.com/vbulletin-patches-serious-flaw-in-forum-software/119817/", "https://www.mozilla.org/security/announce/2014/mfsa2014-30.html", "https://www.mozilla.org/security/announce/2014/mfsa2014-32.html", "http://threatpost.com/google-patches-four-pwn2own-bugs-in-chrome-33/104828", "https://www.mozilla.org/security/announce/2014/mfsa2014-29.html"], "modified": "2014-03-20T10:45:44", "cvss": {"score": 0, "vector": "NONE"}, "bulletinFamily": "info", "title": "Firefox 28 Patches Four Pwn2Own Zero-Day Vulnerabilities", "objectVersion": "1.2", "reporter": "Michael Mimoso", "lastseen": "2016-09-04T20:50:40", "type": "threatpost", "published": "2014-03-20T06:45:00", "enchantments": {"vulnersScore": 7.8}}